My wife found my email in the Ashley Madison database
Will you believe me when I tell you I didn’t put it there?
Like many thousands of couples and ex-couples across America, one evening this week my wife and I found ourselves discussing the Ashley Madison hack. As anyone with access to a form of mass media knows by now, on Tuesday hackers dumped online 10 gigabytes of information—including emails, credit cards, and other details from 33 million Ashley Madison account holders—pilfered in a July attack against the extramarital affair social network. Within a day, there were several web sites providing tools for searching that data by email address, thus beginning a national online game of who-can-we-catch-cheating.
My wife and I talked about what it would mean to be found in the database, how we’d react, how surprising it might be in our own case, given that we’ve been married less than a year. The next morning, as we were chatting online about other things, she sent me a screenshot of one of those sites, with my email in the search box:
“I only did this because you brought it up,” she said. “Also you have too many emails and are too tech savvy for this to even mean anything. I’m sure if you used Ashley Madison you wouldn’t use your main email.”
This much was probably true, I had to admit. Well then, I said, you should probably check them all. Five minutes later, she sent me another screen shot:
The only comment attached to the image was “!!.”
I don’t recall exactly when I realized that a significant group of people other than myself were using my personal email. By “using” I don’t mean spamming me, but actually giving out my email, firstname.lastname@example.org, as if it were their own—to online businesses, colleagues, and friends. For all I know, it could have been happening since I opened the account a decade ago. But I do remember that a few years back, when the number of seemingly stray inbound emails became noticeable, I at first assumed it must be some kind of elaborate online gaslighting. Had I at some point ordered a self-published romance novel called The Teacher’s Billionaire and forgotten, as the receipt from Amazon indicated? Had I, perhaps on a night of too many cocktails, signed up for Yelp in Indianapolis and started reviewing businesses? Or was someone seeding my email address everywhere, prank-like, to clog my inbox?
As it happened, I was used to receiving a fair amount of weird email. In 2009 I wrote a story for Wired magazine for which I tried to disappear for a month, challenging people to find me (they did). One consequence of that public stunt was that, for a brief period surrounding the contest, a lot of people were impersonating me online, scooping up email addresses and Twitter handles in my name. (Even today, I typically can’t obtain logins or social media handles using my full name—a name which, while not singularly unique, is pretty uncommon.)
But this flavor of misdirected email felt different. As the volume grew, I eventually deduced that the intended recipients were actually other real E. Ratliffs. These Ratliffs, who as far as I knew were unrelated to me, when asked to provide their email in a wide variety of settings, were intentionally or unintentionally giving it as email@example.com.
Over time I felt like I came to know some of them. There was Erin, who bought a Chevrolet from a dealership that followed up dutifully on the anniversary of the purchase. Eric, who always seemed to be job hunting online. Elmer, who paid his insurance on time and got a thank you note from his agent. Generally it was easy enough to unsubscribe to mailing list-type notices, but when I got a message that Ella’s tax return needed attention, there wasn’t much I could do help. The only way I knew to get in touch with her was with my own email.
And so it went: Earnest, Eric, Elizabeth, Ebony, and on and on. I began to wonder how many E. Ratliffs there were in the world. Often I found myself suddenly in the middle of strange group discussions with their friends or colleagues, as when I was included on a long series of planning emails for the American Advertising Federation. I replied to try and straighten it out. ”Apologies for intruding, but I’ve come to the conclusion that you’ve got the wrong E. Ratliff on this list,” I told them.
“Thanks Evan,” the group leader wrote back. “You are right. We’ll make the appropriate corrections to the email list.”
A week later, they sent me the minutes for the Audit and Finance Committee to review.
At another point I ended up on a group email for parents of kids in a t-ball league in central Missouri, on a team with what sounded like a fantastic coach. I sent him a note too, fearing that the real E. Ratliff’s child might miss opening day. He thanked me and said he’d pass on my request that his local E. Ratliff to stop using my address. “If you make it to Concordia MO in the next month or so,” he added, “I’ll set you up with a ticket or two to a game.”
Earlier this year, my email was for several months part of a hyper-organized but reply-all-happy women’s book group in Georgia. By this point I’d stopped bothering to try and untangle myself from the other Ratliffs’ correspondence. And anyway, I really loved the camaraderie of the club. They seemed such a supportive, more-than-just-books book group. When they planned a weekend trip to Hilton Head Island, I thought about crashing it. What could they say? After all, they’d invited me.
The reasons why these people give out my email instead of one that they can access have always been a bit mysterious to me. It’s one thing to save yourself some spam by using a throwaway address. But why use someone else’s for correspondence you actually want to receive? The closest I’ve come to a working theory is that a lot of them, having been slow off the mark to obtain their own gmail, have addresses like firstname.lastname@example.org. Either they believe they can leave off the numbers and receive the messages anyway, or they often simply forget. That or the E. Ratliffs of the world just view email@example.com as some kind of shared resource.
I have at times felt like I was invading these Ratliffs privacy, with my little peeks into their worlds. But there was never a way around it; I had to read the email to know it wasn’t for me. Other times I resisted the impulse to use my power nefariously—log in to their Amazon account and order myself something small, just to give them a taste of what it feels like when someone hijacks your identity.
Mostly, though, I grew to enjoy being a kind of hub in the E. Ratliff community. Just yesterday I received a formal-sounding email from a young man—maybe 12 or so, based on his avatar—addressed to a “Mrs. Ratliff.” “The thing I am most excited about this year is my classes because I think they will be very fun and interesting,” he wrote. “I found that I learn best when I’m shown how to figure out a problem through walking me through it.”
After my wife found out that firstname.lastname@example.org was in the Ashley Madison database, I went back and searched my gmail archives. As it turned out, the trail was all there. The account had been opened a few years ago, pegged to a state I’ve never lived in. I found a couple dozen notices of “New Females in your area who have joined,” and one direct solicitation that sounded fun but somehow less-than-believable. “I with the big impatience,” the supposed woman wrote, attaching a picture of herself lounging provocatively on a patch of unmowed grass. “Will wait your step to my party.”
I went to AshleyMadison.com login page and clicked the password reset link—the downside of using someone else’s email is that they can employ this method to change your password and take control of your account. Via email@example.com, the site helpfully directed me to a page where I could set a new password, and I logged in under the handle I’d found in the emails. The profile was sparse, describing a man in his early 50’s, a decade older than me but an inch shorter and 10 pounds lighter, living in a major metropolitan area. His Intimate Desires and Perfect Match hadn’t been filled out. If he’d connected with any potential hook-ups, the evidence of it had long since been deleted. More likely, I assumed, he’d had the impulse to check it out, signed up with my email, and moved on.
I have an inkling which E. Ratliff this might be, among the many whose email I know, just from the circumstantial evidence. I’ve gotten some coupon solicitations in his area. It’s not any of the E. Ratliffs mentioned above, but even if it was, I wouldn’t tell you. E. Ratliffs have our secrets, and we stick together. If I did reveal his real identity, though, what then? What would we understand about E. Ratliff, or the moment when he typed that URL and filled out that form? Would we feel better about ourselves in the knowledge that he had that moment?
I know what you’re thinking: Maybe it was me, after all. What better way to cover for your email showing up in a database of people pursuing infidelity (no wait, “exploring;” no wait, “considering”) than to write an elaborate story about how your email has always been used by other people? Get out ahead of it, play offense. I’ll confess, the thought crossed my mind as well. It’s all very convenient, that part of the story. The language seems very carefully chosen. Looking back over it, it doesn’t read particularly definitive one way or the other.
Earlier this week John Herrman argued persuasively on The Awl that the Ashley Madison hack—among the recurring data breaches of the past several years—was “unprecedented in terms of personal cost”:
“Understood in more abstract terms,” he concluded, “this hack has the potential to alter anyone’s relationship with the devices and apps and services they use every day.” Maybe so. Privacy can be dismissed as immaterial, perhaps, until a bold red font tells you that your email “was found.” You have “nothing to hide” until that which you didn’t realize you should hide—or couldn’t have if you wanted to—is revealed to the world.
So far, though, our media-fluffed reckoning has consisted largely of an orgy of puritanical schadenfreude and moralistic rubbernecking. The question has been not whether to search the database—Amanda Hess at Slate thoughtfully concluded that the answer to that question should be “no”—but whose email and how fast. Search the database and you will surface the hypocrites. Search the database to spotlight the morally weak. Search the database to destroy the powerful.
In offloading our mores to the results of a database query, though, it becomes difficult to locate those bright lines between the hypocrites and the righteous. Sometimes when you search the database, what you find is you.